First off, thanks for everyone's advice and help on my earlier threads about security!

After some consideration, I am not so sure that I want to fork over $$$ and get involved with Wireless contracts with companies like Verizon, who I basically think suck...

So, I would like to know, "Is it possible to *ethically* and *securely* manage a Server over a Free Wi-Fi connection using JUST a Personal VPN like HideMyAss or Witopia?"

From what others have said in my earlier threads, and from just using common sense, it would seem that if I bought wireless service with someone like Verizon, and while on the road away from home, first connected to their private wireless network, and then secondly I used something like WiTopia, that that would be the most secure, right?

But if I was using Free Wi-Fi at Denny's or wherever, and I connected to the Internet over a Persoanl VPN like WiTopia, could I manage a website that I am building and feel secure enough that I could trust things like Server Log-in Credentials and Customer Data - non-financial - using such a setup?

I hope that is a possibility, because I am pretty turned off by the pushy and obnoxious Telecoms here in the U.S....

I was all ready to say "yes, but you run the risk of the vpn provider spying on you".....until I hit your statement on customer data.

Protection of customer data typically falls under the law in most countries, depending on the type of data we're talking about, and if you don't make a reasonable argument of why the method you're using to protect it is enough to satisfy those laws, you can find yourself in hot water.

I assume you don't have full control over the server you want to manage? If you do, I'd recommend OpenVPN with both password and certificate authentication, which should (if your own machine is fairly locked down) provide decent security. I'd still consider asking legal advice over the customer data transmission (and storage) aspect though.

Much more convoluted, I would look in to getting all traffic not just web traffic going over the VPN connection. It would be rather embarrassing if the browser was safe, but everything else like Toad, SSH, FTP, etc went over the public internet (yes ssh is encrypted, but doesn't mean you want people to know what server you went to).

I would set things up with 2 boxes:1: a Server running OpenVPN, with 2 ports. One with an outside connection to connect to, and one with a connection to where I need to work.

2: the servers I worked on, only accept administrative remote connections (FTP, SSH, RDP, etc) from the address of the OpenVPN box.

UKSecurityGuy wrote:I was all ready to say "yes, but you run the risk of the vpn provider spying on you".....until I hit your statement on customer data.

Protection of customer data typically falls under the law in most countries, depending on the type of data we're talking about, and if you don't make a reasonable argument of why the method you're using to protect it is enough to satisfy those laws, you can find yourself in hot water.

Let me play this out loud, and tell me if my thinking is right...

To protect information, I ultimately need Privacy and Security.

According to some, if I use a Personal VPN, then I have Privacy (and probably Security) between my laptop and - in this case - WiTopia's servers. Then from there, since I would be connecting to my Server over HTTPS, I should have Privacy and Security from WiTopia's Servers to my Web Hosting company and my Server, right?

I assume you don't have full control over the server you want to manage?

I have a Virtual Private Server (VPS) with a major web hosting company in the U.S., so I have "Root" access.

If you do, I'd recommend OpenVPN with both password and certificate authentication, which should (if your own machine is fairly locked down) provide decent security. I'd still consider asking legal advice over the customer data transmission (and storage) aspect though.

What is the difference between OpenVPN and say WiTopia or Hide-My-Ass?

BTW, as far as "Customer Data". It will always include basic things like you'd find on this forum (Username, Encrypted Password, Bio Info), and later on there will be an E-commerce site, but I will never store credit card info, and all purchases are one-off's, so it isn't like I'm storing billing info like Amazon.com would.

As long as I can't be hacked between my laptop and WiTopia, I think that should be my main emphasis. But then I'm not a networking or security export like you guys?!

chrisj wrote:What I would do, would be to set up OpenVPN like UKSecurityGuy said.

Much more convoluted, I would look in to getting all traffic not just web traffic going over the VPN connection. It would be rather embarrassing if the browser was safe, but everything else like Toad, SSH, FTP, etc went over the public internet (yes ssh is encrypted, but doesn't mean you want people to know what server you went to).

I would set things up with 2 boxes:1: a Server running OpenVPN, with 2 ports. One with an outside connection to connect to, and one with a connection to where I need to work.

2: the servers I worked on, only accept administrative remote connections (FTP, SSH, RDP, etc) from the address of the OpenVPN box.

I think you guys are missing some key things to my situation...

I am a computer consultant whose life was upended when the "Great Recession" hit. The last 4 years have been hopping from short-term contract to short-term contract across the U.S.

I lost my place when the market crashed, so I literally "live on the road" without a permanent residence.

So, there is no way to have "servers at home" and a lot of infrastucture you guys assume.

When I am not working a day job or busy looking for a new day job, I am trying to start an online business with the hopes I can return to a more stable life.

So, there is Tom, Tom's Laptop, Tom's Virtual Private Server (VPS) with BigUSHostingCompany and lots of dangerous airspace in between!!

It sounds like many think that buying some "Personal VPN" like Hide My Ass or WiTopia (my choice) would be most of the battle.

I was considering getting a Wireless Plan with Verizon, but I am not sure I want to commit that much of my limited resources to a wirless contract, and I also found the application process to be really obnoxious and intrusive. (And since I don't have a "permanent residence", I doubt they would sell me a plan anyways...)

Challenging, eh?!

As I see it, there is POSSIBLE and PROBABLE.

I want to be *ethical* in my security choices, but I also have to be realistic, even if I did have a house and a more stable situation. (I can never be as secure as someone with a multi-million dollar security budget and 24/7 staff... And yet, I bet you my currently hand-coded website is more secure than a lot of my multi-million dollar client's sites...)

So I am here because I DO care.

I am hoping there are some reasonable steps I can take to protect myself and my customer's data (Pretty much Usergroup type data), but not set the bar so high that things never happen.

Are you concerned about your hosting provider eavesdropping on your traffic (if so, you should probably change providers)?

Just use your VPS; that's what I do. If you're only interested in protecting web traffic, it's trivial to use SSH as a SOCKS proxy. I'm not sure about other browsers, but Firefox lets you force DNS queries through SOCKS as well, so the network operator for whatever network you're on can't even see the sites you're trying to access, let alone the actual network communications.

If you need something more robust, implement OpenVPN. You're overcomplicating this; you can setup what you need with no extra cost or equipment.

You're on the road all of the time, with your own laptop, but with no internet connectivity.

You use free wireless hostspots (McDonalds et al) to get internet connectivity, but you're concerned that providers/users of those wireless hotspots will manipulate/spy on your data.

You have access to a VPS, and you're unconcerned about the VPS provider spying/manipulating your data

You have a hosted Ecommerce system somewhere that you're building, and your traffic between your machine and this Ecommerce system is encrypted (HTTPS).

In which case the advice I would give is the same as ajohnson's....use the VPS. Setup OpenVPN (which is essentially the same as other VPN providers, except that it's free and you control all of the security around it) and Squid on the VPS. Have your browser proxy all of it's connections through Squid so that all of your web browsing is protected.

Essentially it's what I'm doing at the moment (although I have a stack more infrastructure running on the VPS) which protects my data when I'm anywhere away from home.

Plus it's a good learning experience!

If that's a bit too complicated for you, OpenSSH (as ajohnson said) works nearly as well.

UKSecurityGuy wrote:Just to take this back to basis for my understanding.....

You're on the road all of the time, with your own laptop, but with no internet connectivity.

Correct.

You use free wireless hostspots (McDonalds et al) to get internet connectivity, but you're concerned that providers/users of those wireless hotspots will manipulate/spy on your data.

Correct.

You have access to a VPS, and you're unconcerned about the VPS provider spying/manipulating your data

Hang on.

I have a Virtual Private Server with a major U.S. Hosting Company.

Actually, this point, like most, is probably above my head...

Since I am using a VPS on THEIR Servers, in THEIR Environment, in THEIR Data Centers, I guess, "Yes", I do trust them.

Should I not?

While I encrypt User Passwords, it is not like I have encrypted my entire database.

And by definition, you couldn't encrypt your website's code.

(This is probably a whole other thread...)

What I do now - after I've let everyone jump on board my UNsecured MacBook, it to use either Plesk to access my Web Hosting Account with my Web Host, or for actually working with things like files, I use Secure FTP.

But back to what I believe to be your original question, yes I am assuming that I can trust my Hosting Company. (If you couldn't, you'd be in trouble...)

You have a hosted Ecommerce system somewhere that you're building, and your traffic between your machine and this Ecommerce system is encrypted (HTTPS).

I have an SSL certificate, and if a user goes to "Check out", then they are switched from an HTTP connection to an HTTPS connection, so that all communications from their computer - assuming it wasn't hacked at McDonalds too - and my website on my VPS on my Hosting Company's system is "secure".

Is that what you were asking?

In which case the advice I would give is the same as ajohnson's....use the VPS.

Not trying to be a wiseguy, but that makes no sense...

A "Virtual Private Server" (VPS) is a virtual share on a physical server.

It has NOTHING to do with security...

I have been asking if a "Personal Virtual Private NETWORK" (VPN) by itself is secure to use on a Free Wi-Fi Network.

Completely different concepts...

Setup OpenVPN (which is essentially the same as other VPN providers, except that it's free and you control all of the security around it)

Yeah, but WiTopia is only like $50/year, and I'm probably not smart enough to set up my own OpenVPN.

PLUS, after reading things, the reason for my points above are that "I have no way to host a physical server back home, because there isn't one..."

So I don't see how OpenVPN would help?

and Squid on the VPS.

What does that mean?!

Have your browser proxy all of it's connections through Squid so that all of your web browsing is protected.

I don't understand how that relates to something like WiTopia or Hide My Ass, and why it would be better?

Essentially it's what I'm doing at the moment (although I have a stack more infrastructure running on the VPS) which protects my data when I'm anywhere away from home.

Plus it's a good learning experience!

I'm all about learning, but everyone here should no I'm really not qualified to do much of anything with security or networking...

I am just a serious consumerist trying to establish a reasonable amount of Privacy and Security, and avoid having a Data Breach with my Website's Data and Users...

I am also looking for solutions that are easy enough to implement, that I won't F*** them up and put myself at GREATER RISK than before, if you follow me...

If that's a bit too complicated for you, OpenSSH (as ajohnson said) works nearly as well.

Again, I'm not following that...

But coming back to my OP...

Could a person - who is not worried about the Feds, and who not doing anything illegal - establish enough Privacy and Security using just a "Personal VPN" (e.g. WiTopia) and Free Wi-Fi (e.g. McDonalds), to be able to ethically manage a Website with limited User Personally Identifiable Information?

I think my fear about connecting to the Internet via Free Wi-Fi while using WiTopia or HideMyAss, is that a hacker could somehow break up the "hand-shack" before I establish a "secure tunnel"...

If I had a JetPack from Verizon, in theory, unless you were sitting within 50 feet of me, and you knew my SSID, and you knew my passcode, them you couldn't break into Verizon's Wireless Network - at least not on my end.

By contrast, I just worry that it would be easier to hack into my WiTopia "secure tunnel" at McDonalds.

I do think that if a person truly established a "secure tunnel" with either Verizon or WiTopia, that either "secure tunnel" would be equally secure.

Although, the advantage of WiTopia, is that in practice, they are not logging the fact that I am a closet Justin Beiber freak... *JUST KIDDING*

Depends on how much you trust WiTopia not to sniff your traffic, but it sounds like your down to a "this or no protection" scenario, then, yes (probably)

Note I've put a lot of (probably) statments in there. WiTopia could be sniffing all of their outgoing traffic, so they've got a higher probability of stealing your data than random joe getting lucky at a starbucks.

A security professional should only trust the security they've put in themselves (and even then you probably shouldn't trust it, be paranoid), which is why we've been suggesting OpenVPN or SSH tunnels.

Oh and just to clarify my earlier statement:

Not trying to be a wiseguy, but that makes no sense...

A "Virtual Private Server" (VPS) is a virtual share on a physical server.

It has NOTHING to do with security...

What I meant was - you control the VPS, so install security software on there (SSH/OpenVPN) and then send all of your traffic through that VPN tunnel.

UKSecurityGuy wrote:Ok - as this thread is rapidly spiralling out of control.

Not trying to make it so.

Code:

Is using WiTopia better than using a unsecured access point?

Yes (probably)

Code:

Is using WiTopia secure enough to manage my VPS

Depends on how much you trust WiTopia not to sniff your traffic, but it sounds like your down to a "this or no protection" scenario, then, yes (probably)

Wow, you are down on WiTopia!

Let me rewind...

As understand things - which doesn't mean much - when I connect to my Server using FileZilla with SecureFTP, I have a "secure tunnel" from my Laptop to my Server.

That being said, I don't see why you keep saying, "If you can trust WiTopia not to sniff your data"?

(Even if they did, in theory, they would just see encrypted packets, right?)

My whole angle and paranoia with Free Wi-Fi and a Personal VPN is that something could get screwed up during the handshake with WiTopia while at McDonalds.

I am not questioning the security/privacy of the encrypted tunnel between me and WiTopia.

(And I am not questioning the security/privacy of the encrypted tunnel between my FIleZilla and my Server.)

What I am worried about - because of my sheer ignorance on these topics - is that *maybe* it is much easier to "jump on board" at McDonalds when I do anything on the UN-secured Free Wi-Fi, even if I start using WiTopia from the get-go.

Follow me?

(I am assuming that it is MUCH harder to hack into the handshake process between, say, my Laptop and a Verizon JetPack and Verizon's 4G Network.)

Follow me?

Obviously I could have this all wrong, and thus is why I'm being a pest here.

Note I've put a lot of (probably) statments in there. WiTopia could be sniffing all of their outgoing traffic, so they've got a higher probability of stealing your data than random joe getting lucky at a starbucks.

SecureFTP with my Server should handle that. And for everything else, if WiTopia was indeed sniffing people's communications, they wouldn't be in business very long...

A security professional should only trust the security they've put in themselves (and even then you probably shouldn't trust it, be paranoid), which is why we've been suggesting OpenVPN or SSH tunnels.

I apologize if I missed something you said, BUT I thought you or someone else made it sound like I needed a Physical Server back home to use OpenVPN... (Remember, I don't have that...)

Did I misunderstand you?

Oh and just to clarify my earlier statement:

Not trying to be a wiseguy, but that makes no sense...

A "Virtual Private Server" (VPS) is a virtual share on a physical server.

It has NOTHING to do with security...

What I meant was - you control the VPS, so install security software on there (SSH/OpenVPN) and then send all of your traffic through that VPN tunnel.

Hope that helps.

Well, like I said above, my Web Host helped me set up FileZilla so it uses SecureFTP which is supposed to give me an encrypted tunnel between me and my Server. (I'm not sure how that relates to SSH or OpenVPN...)